|
Posted by Markus on 02/07/07 14:53
Jerry Stuckle schrieb:
> J.O. Aho wrote:
>>> To be honest, I never understood what is the point in collecting this
>>> value at all, it just had been there in the first sample script I got
>>> from my first PHP teacher years ago...
>>
>> The vast majority of users will have one and the same IP-number each
>> time they request a page during the same session, so you can use that
>> ip-number to check if the request comes from the same machine or not,
>> it you get another ip, you can assume that someone has managed to
>> sniff the session id and trying to take over that session, then you
>> could terminate the session and request for the user to login once more.
>>
>
> Mostly true. But man users can change IP addresses each time because
> they are using a pool of proxy servers. AOL is a great example of this,
> but there are others.
>
> And most corporations have a firewall and everyone behind the firewall
> uses the same IP address. So you could have hundreds or even thousands
> of people using the same IP address.
>
>> If you feel it's overkill, then remove the whole thing, no point in
>> keeping a IP-number in a database if you not gona use it.
>>
>
> Sessions are not security. If you need security, use a secure protocol.
> Then you won't have a problem with sniffing session id's.
These are interesting points. The application is intended to be used in
various shared-hosting based environments; the choice of the protocol is
not part of it. But I just thought about introducing some kind of
low-level security by adding an ip check as an option, which can be
turned off if the administators work in an environment where the ip is
likely to change during the session.
Navigation:
[Reply to this message]
|